Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-29287

Variety of stacks / memory overwrite issues when using CSV/max_error_count | SIGSEGV in free_root

    XMLWordPrintable

Details

    Description

      The following testcase reliably reproduces the issue. However, different similar testcases (including this testcase) lead to a variety of different stacks, indicating that random memory is being overwritten or similar.

      SET sql_mode='',max_error_count=1024;
      CREATE TABLE t (a SET('a','b') NOT NULL) ENGINE=CSV;
      INSERT INTO t VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10);
      INSERT INTO t VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10);
      INSERT INTO t VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10);
      INSERT INTO t VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10);
      INSERT INTO t VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10);
      INSERT INTO t VALUES (1),(2),(3),(4),(5),(6),(7),(8),(9),(10);
      INSERT INTO t SELECT A.a FROM t A,t B,t C;
      UPDATE t SET a=NULL;
      UPDATE t SET a=NULL;  # Repeat as needed #
      

      Leads to:

      10.10.0 e1caa4bd5e8b4645944b85d4b603bf9fc9ef6ca4 (Debug)

      Core was generated by `/test/MD290722-mariadb-10.10.0-linux-x86_64-dbg/bin/mysqld --no-defaults --core'.
      Program terminated with signal SIGSEGV, Segmentation fault.
      #0  0x00005616f2be7d7a in free_root (root=0x14a1d4006db8, 
          MyFlags=MyFlags@entry=0) at /test/10.10_dbg/mysys/my_alloc.c:493
      493	    old=next; next= next->next ;
      [Current thread is 1 (Thread 0x14a2600b4700 (LWP 4049157))]
      (gdb) bt
      #0  0x00005616f2be7d7a in free_root (root=0x14a1d4006db8, MyFlags=MyFlags@entry=0) at /test/10.10_dbg/mysys/my_alloc.c:493
      #1  0x00005616f217788c in Warning_info::free_memory (this=this@entry=0x14a1d4006db8) at /test/10.10_dbg/sql/sql_error.cc:529
      #2  0x00005616f2177a9e in Warning_info::clear (this=0x14a1d4006db8, new_id=<optimized out>) at /test/10.10_dbg/sql/sql_error.cc:558
      #3  0x00005616f21ca61a in Warning_info::opt_clear (query_id=<optimized out>, this=<optimized out>) at /test/10.10_dbg/sql/sql_error.h:623
      #4  Diagnostics_area::opt_clear_warning_info (query_id=<optimized out>, this=<optimized out>) at /test/10.10_dbg/sql/sql_error.h:1140
      #5  mysql_execute_command (thd=thd@entry=0x14a1d4000db8, is_called_from_prepared_stmt=is_called_from_prepared_stmt@entry=false) at /test/10.10_dbg/sql/sql_parse.cc:3528
      #6  0x00005616f21b9534 in mysql_parse (thd=thd@entry=0x14a1d4000db8, rawbuf=<optimized out>, length=<optimized out>, parser_state=parser_state@entry=0x14a2600b3330) at /test/10.10_dbg/sql/sql_parse.cc:8037
      #7  0x00005616f21c6b1c in dispatch_command (command=command@entry=COM_QUERY, thd=thd@entry=0x14a1d4000db8, packet=packet@entry=0x14a1d400b6e9 "UPDATE t SET a=NULL", packet_length=packet_length@entry=19, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_class.h:1366
      #8  0x00005616f21c9226 in do_command (thd=0x14a1d4000db8, blocking=blocking@entry=true) at /test/10.10_dbg/sql/sql_parse.cc:1407
      #9  0x00005616f232a744 in do_handle_one_connection (connect=<optimized out>, connect@entry=0x5616f51304c8, put_in_cache=put_in_cache@entry=true) at /test/10.10_dbg/sql/sql_connect.cc:1418
      #10 0x00005616f232ac4d in handle_one_connection (arg=0x5616f51304c8) at /test/10.10_dbg/sql/sql_connect.cc:1312
      #11 0x000014a27af43609 in start_thread (arg=<optimized out>) at pthread_create.c:477
      #12 0x000014a27ab2f133 in clone () at ../sysdeps/unix/sysv/linux/x86_64/clone.S:95
      

      Bug confirmed present in:
      MariaDB: 10.3.36 (dbg), 10.3.36 (opt), 10.4.26 (dbg), 10.5.17 (dbg), 10.6.9 (dbg), 10.7.5 (dbg), 10.8.4 (dbg), 10.9.2 (dbg), 10.10.0 (dbg)
      MySQL: 5.6.51 (dbg), 5.6.51 (opt)

      Bug (or feature/syntax) confirmed not present in:
      MariaDB: 10.4.26 (opt), 10.5.17 (opt), 10.6.9 (opt), 10.7.5 (opt), 10.8.4 (opt), 10.9.2 (opt), 10.10.0 (opt)
      MySQL: 5.5.62 (dbg), 5.5.62 (opt), 5.7.38 (dbg), 5.7.38 (opt), 8.0.29 (dbg), 8.0.29 (opt)

      Attachments

        Activity

          People

            rucha174 Rucha Deodhar
            Roel Roel Van de Paar
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.